/*
 * TLSv1 server - read handshake message
 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Alternatively, this software may be distributed under the terms of BSD
 * license.
 *
 * See README and COPYING for more details.
 */

#include "includes.h"

#include "common.h"
#include "md5.h"
#include "sha1.h"
#include "x509v3.h"
#include "tls.h"
#include "tlsv1_common.h"
#include "tlsv1_record.h"
#include "tlsv1_server.h"
#include "tlsv1_server_i.h"


static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
                                           const u8 *in_data, size_t *in_len);
static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
                                          u8 ct, const u8 *in_data,
                                          size_t *in_len);


static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct,
                                    const u8 *in_data, size_t *in_len)
{
        const u8 *pos, *end, *c;
        size_t left, len, i, j;
        u16 cipher_suite;
        u16 num_suites;
        int compr_null_found;
        u16 ext_type, ext_len;

        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
                           "received content type 0x%x", ct);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        pos = in_data;
        left = *in_len;

        if (left < 4)
                goto decode_error;

        /* HandshakeType msg_type */
        if (*pos != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
                           "message %d (expected ClientHello)", *pos);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }
        wpa_printf(MSG_DEBUG, "TLSv1: Received ClientHello");
        pos++;
        /* uint24 length */
        len = WPA_GET_BE24(pos);
        pos += 3;
        left -= 4;

        if (len > left)
                goto decode_error;

        /* body - ClientHello */

        wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello", pos, len);
        end = pos + len;

        /* ProtocolVersion client_version */
        if (end - pos < 2)
                goto decode_error;
        conn->client_version = WPA_GET_BE16(pos);
        wpa_printf(MSG_DEBUG, "TLSv1: Client version %d.%d",
                   conn->client_version >> 8, conn->client_version & 0xff);
        if (conn->client_version < TLS_VERSION) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
                           "ClientHello");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_PROTOCOL_VERSION);
                return -1;
        }
        pos += 2;

        /* Random random */
        if (end - pos < TLS_RANDOM_LEN)
                goto decode_error;

        os_memcpy(conn->client_random, pos, TLS_RANDOM_LEN);
        pos += TLS_RANDOM_LEN;
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client_random",
                    conn->client_random, TLS_RANDOM_LEN);

        /* SessionID session_id */
        if (end - pos < 1)
                goto decode_error;
        if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN)
                goto decode_error;
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client session_id", pos + 1, *pos);
        pos += 1 + *pos;
        /* TODO: add support for session resumption */

        /* CipherSuite cipher_suites<2..2^16-1> */
        if (end - pos < 2)
                goto decode_error;
        num_suites = WPA_GET_BE16(pos);
        pos += 2;
        if (end - pos < num_suites)
                goto decode_error;
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client cipher suites",
                    pos, num_suites);
        if (num_suites & 1)
                goto decode_error;
        num_suites /= 2;

        cipher_suite = 0;
        for (i = 0; !cipher_suite && i < conn->num_cipher_suites; i++) {
                c = pos;
                for (j = 0; j < num_suites; j++) {
                        u16 tmp = WPA_GET_BE16(c);
                        c += 2;
                        if (!cipher_suite && tmp == conn->cipher_suites[i]) {
                                cipher_suite = tmp;
                                break;
                        }
                }
        }
        pos += num_suites * 2;
        if (!cipher_suite) {
                wpa_printf(MSG_INFO, "TLSv1: No supported cipher suite "
                           "available");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_ILLEGAL_PARAMETER);
                return -1;
        }

        if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) {
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for "
                           "record layer");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        conn->cipher_suite = cipher_suite;

        /* CompressionMethod compression_methods<1..2^8-1> */
        if (end - pos < 1)
                goto decode_error;
        num_suites = *pos++;
        if (end - pos < num_suites)
                goto decode_error;
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: client compression_methods",
                    pos, num_suites);
        compr_null_found = 0;
        for (i = 0; i < num_suites; i++) {
                if (*pos++ == TLS_COMPRESSION_NULL)
                        compr_null_found = 1;
        }
        if (!compr_null_found) {
                wpa_printf(MSG_INFO, "TLSv1: Client does not accept NULL "
                           "compression");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_ILLEGAL_PARAMETER);
                return -1;
        }

        if (end - pos == 1) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected extra octet in the "
                            "end of ClientHello: 0x%02x", *pos);
                goto decode_error;
        }

        if (end - pos >= 2) {
                /* Extension client_hello_extension_list<0..2^16-1> */
                ext_len = WPA_GET_BE16(pos);
                pos += 2;

                wpa_printf(MSG_DEBUG, "TLSv1: %u bytes of ClientHello "
                           "extensions", ext_len);
                if (end - pos != ext_len) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello "
                                   "extension list length %u (expected %u)",
                                   ext_len, (unsigned int) (end - pos));
                        goto decode_error;
                }

                /*
                 * struct {
                 *   ExtensionType extension_type (0..65535)
                 *   opaque extension_data<0..2^16-1>
                 * } Extension;
                 */

                while (pos < end) {
                        if (end - pos < 2) {
                                wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
                                           "extension_type field");
                                goto decode_error;
                        }

                        ext_type = WPA_GET_BE16(pos);
                        pos += 2;

                        if (end - pos < 2) {
                                wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
                                           "extension_data length field");
                                goto decode_error;
                        }

                        ext_len = WPA_GET_BE16(pos);
                        pos += 2;

                        if (end - pos < ext_len) {
                                wpa_printf(MSG_DEBUG, "TLSv1: Invalid "
                                           "extension_data field");
                                goto decode_error;
                        }

                        wpa_printf(MSG_DEBUG, "TLSv1: ClientHello Extension "
                                   "type %u", ext_type);
                        wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientHello "
                                    "Extension data", pos, ext_len);

                        if (ext_type == TLS_EXT_SESSION_TICKET) {
                                os_free(conn->session_ticket);
                                conn->session_ticket = os_malloc(ext_len);
                                if (conn->session_ticket) {
                                        os_memcpy(conn->session_ticket, pos,
                                                  ext_len);
                                        conn->session_ticket_len = ext_len;
                                }
                        }

                        pos += ext_len;
                }
        }

        *in_len = end - in_data;

        wpa_printf(MSG_DEBUG, "TLSv1: ClientHello OK - proceed to "
                   "ServerHello");
        conn->state = SERVER_HELLO;

        return 0;

decode_error:
        wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ClientHello");
        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                           TLS_ALERT_DECODE_ERROR);
        return -1;
}


static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
                                   const u8 *in_data, size_t *in_len)
{
        const u8 *pos, *end;
        size_t left, len, list_len, cert_len, idx;
        u8 type;
        struct x509_certificate *chain = NULL, *last = NULL, *cert;
        int reason;

        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
                           "received content type 0x%x", ct);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        pos = in_data;
        left = *in_len;

        if (left < 4) {
                wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message "
                           "(len=%lu)", (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        type = *pos++;
        len = WPA_GET_BE24(pos);
        pos += 3;
        left -= 4;

        if (len > left) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message "
                           "length (len=%lu != left=%lu)",
                           (unsigned long) len, (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        if (type == TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
                if (conn->verify_peer) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
                                   "Certificate");
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_UNEXPECTED_MESSAGE);
                        return -1;
                }

                return tls_process_client_key_exchange(conn, ct, in_data,
                                                       in_len);
        }
        if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) {
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
                           "message %d (expected Certificate/"
                           "ClientKeyExchange)", type);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        wpa_printf(MSG_DEBUG,
                   "TLSv1: Received Certificate (certificate_list len %lu)",
                   (unsigned long) len);

        /*
         * opaque ASN.1Cert<2^24-1>;
         *
         * struct {
         *     ASN.1Cert certificate_list<1..2^24-1>;
         * } Certificate;
         */

        end = pos + len;

        if (end - pos < 3) {
                wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate "
                           "(left=%lu)", (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        list_len = WPA_GET_BE24(pos);
        pos += 3;

        if ((size_t) (end - pos) != list_len) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list "
                           "length (len=%lu left=%lu)",
                           (unsigned long) list_len,
                           (unsigned long) (end - pos));
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        idx = 0;
        while (pos < end) {
                if (end - pos < 3) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
                                   "certificate_list");
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_DECODE_ERROR);
                        x509_certificate_chain_free(chain);
                        return -1;
                }

                cert_len = WPA_GET_BE24(pos);
                pos += 3;

                if ((size_t) (end - pos) < cert_len) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate "
                                   "length (len=%lu left=%lu)",
                                   (unsigned long) cert_len,
                                   (unsigned long) (end - pos));
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_DECODE_ERROR);
                        x509_certificate_chain_free(chain);
                        return -1;
                }

                wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)",
                           (unsigned long) idx, (unsigned long) cert_len);

                if (idx == 0) {
                        crypto_public_key_free(conn->client_rsa_key);
                        if (tls_parse_cert(pos, cert_len,
                                           &conn->client_rsa_key)) {
                                wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
                                           "the certificate");
                                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                                   TLS_ALERT_BAD_CERTIFICATE);
                                x509_certificate_chain_free(chain);
                                return -1;
                        }
                }

                cert = x509_certificate_parse(pos, cert_len);
                if (cert == NULL) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse "
                                   "the certificate");
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_BAD_CERTIFICATE);
                        x509_certificate_chain_free(chain);
                        return -1;
                }

                if (last == NULL)
                        chain = cert;
                else
                        last->next = cert;
                last = cert;

                idx++;
                pos += cert_len;
        }

        if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
                                            &reason) < 0) {
                int tls_reason;
                wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
                           "validation failed (reason=%d)", reason);
                switch (reason) {
                case X509_VALIDATE_BAD_CERTIFICATE:
                        tls_reason = TLS_ALERT_BAD_CERTIFICATE;
                        break;
                case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
                        tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
                        break;
                case X509_VALIDATE_CERTIFICATE_REVOKED:
                        tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
                        break;
                case X509_VALIDATE_CERTIFICATE_EXPIRED:
                        tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
                        break;
                case X509_VALIDATE_CERTIFICATE_UNKNOWN:
                        tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
                        break;
                case X509_VALIDATE_UNKNOWN_CA:
                        tls_reason = TLS_ALERT_UNKNOWN_CA;
                        break;
                default:
                        tls_reason = TLS_ALERT_BAD_CERTIFICATE;
                        break;
                }
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason);
                x509_certificate_chain_free(chain);
                return -1;
        }

        x509_certificate_chain_free(chain);

        *in_len = end - in_data;

        conn->state = CLIENT_KEY_EXCHANGE;

        return 0;
}


static int tls_process_client_key_exchange_rsa(
        struct tlsv1_server *conn, const u8 *pos, const u8 *end)
{
        u8 *out;
        size_t outlen, outbuflen;
        u16 encr_len;
        int res;
        int use_random = 0;

        if (end - pos < 2) {
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        encr_len = WPA_GET_BE16(pos);
        pos += 2;

        outbuflen = outlen = end - pos;
        out = os_malloc(outlen >= TLS_PRE_MASTER_SECRET_LEN ?
                        outlen : TLS_PRE_MASTER_SECRET_LEN);
        if (out == NULL) {
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        /*
         * struct {
         *   ProtocolVersion client_version;
         *   opaque random[46];
         * } PreMasterSecret;
         *
         * struct {
         *   public-key-encrypted PreMasterSecret pre_master_secret;
         * } EncryptedPreMasterSecret;
         */

        /*
         * Note: To avoid Bleichenbacher attack, we do not report decryption or
         * parsing errors from EncryptedPreMasterSecret processing to the
         * client. Instead, a random pre-master secret is used to force the
         * handshake to fail.
         */

        if (crypto_private_key_decrypt_pkcs1_v15(conn->cred->key,
                                                 pos, end - pos,
                                                 out, &outlen) < 0) {
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt "
                           "PreMasterSecret (encr_len=%d outlen=%lu)",
                           (int) (end - pos), (unsigned long) outlen);
                use_random = 1;
        }

        if (outlen != TLS_PRE_MASTER_SECRET_LEN) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected PreMasterSecret "
                           "length %lu", (unsigned long) outlen);
                use_random = 1;
        }

        if (WPA_GET_BE16(out) != conn->client_version) {
                wpa_printf(MSG_DEBUG, "TLSv1: Client version in "
                           "ClientKeyExchange does not match with version in "
                           "ClientHello");
                use_random = 1;
        }

        if (use_random) {
                wpa_printf(MSG_DEBUG, "TLSv1: Using random premaster secret "
                           "to avoid revealing information about private key");
                outlen = TLS_PRE_MASTER_SECRET_LEN;
                if (os_get_random(out, outlen)) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random "
                                   "data");
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_INTERNAL_ERROR);
                        os_free(out);
                        return -1;
                }
        }

        res = tlsv1_server_derive_keys(conn, out, outlen);

        /* Clear the pre-master secret since it is not needed anymore */
        os_memset(out, 0, outbuflen);
        os_free(out);

        if (res) {
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        return 0;
}


static int tls_process_client_key_exchange_dh_anon(
        struct tlsv1_server *conn, const u8 *pos, const u8 *end)
{
#ifdef EAP_FAST
        const u8 *dh_yc;
        u16 dh_yc_len;
        u8 *shared;
        size_t shared_len;
        int res;

        /*
         * struct {
         *   select (PublicValueEncoding) {
         *     case implicit: struct { };
         *     case explicit: opaque dh_Yc<1..2^16-1>;
         *   } dh_public;
         * } ClientDiffieHellmanPublic;
         */

        wpa_hexdump(MSG_MSGDUMP, "TLSv1: ClientDiffieHellmanPublic",
                    pos, end - pos);

        if (end == pos) {
                wpa_printf(MSG_DEBUG, "TLSv1: Implicit public value encoding "
                           "not supported");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        if (end - pos < 3) {
                wpa_printf(MSG_DEBUG, "TLSv1: Invalid client public value "
                           "length");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        dh_yc_len = WPA_GET_BE16(pos);
        dh_yc = pos + 2;

        if (dh_yc + dh_yc_len > end) {
                wpa_printf(MSG_DEBUG, "TLSv1: Client public value overflow "
                           "(length %d)", dh_yc_len);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)",
                    dh_yc, dh_yc_len);

        if (conn->cred == NULL || conn->cred->dh_p == NULL ||
            conn->dh_secret == NULL) {
                wpa_printf(MSG_DEBUG, "TLSv1: No DH parameters available");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        shared_len = conn->cred->dh_p_len;
        shared = os_malloc(shared_len);
        if (shared == NULL) {
                wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for "
                           "DH");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        /* shared = Yc^secret mod p */
        if (crypto_mod_exp(dh_yc, dh_yc_len, conn->dh_secret,
                           conn->dh_secret_len,
                           conn->cred->dh_p, conn->cred->dh_p_len,
                           shared, &shared_len)) {
                os_free(shared);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }
        wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange",
                        shared, shared_len);

        os_memset(conn->dh_secret, 0, conn->dh_secret_len);
        os_free(conn->dh_secret);
        conn->dh_secret = NULL;

        res = tlsv1_server_derive_keys(conn, shared, shared_len);

        /* Clear the pre-master secret since it is not needed anymore */
        os_memset(shared, 0, shared_len);
        os_free(shared);

        if (res) {
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        return 0;
#else /* EAP_FAST */
        return -1;
#endif /* EAP_FAST */
}


static int tls_process_client_key_exchange(struct tlsv1_server *conn, u8 ct,
                                           const u8 *in_data, size_t *in_len)
{
        const u8 *pos, *end;
        size_t left, len;
        u8 type;
        tls_key_exchange keyx;
        const struct tls_cipher_suite *suite;

        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
                           "received content type 0x%x", ct);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        pos = in_data;
        left = *in_len;

        if (left < 4) {
                wpa_printf(MSG_DEBUG, "TLSv1: Too short ClientKeyExchange "
                           "(Left=%lu)", (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        type = *pos++;
        len = WPA_GET_BE24(pos);
        pos += 3;
        left -= 4;

        if (len > left) {
                wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ClientKeyExchange "
                           "length (len=%lu != left=%lu)",
                           (unsigned long) len, (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        end = pos + len;

        if (type != TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE) {
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
                           "message %d (expected ClientKeyExchange)", type);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        wpa_printf(MSG_DEBUG, "TLSv1: Received ClientKeyExchange");

        wpa_hexdump(MSG_DEBUG, "TLSv1: ClientKeyExchange", pos, len);

        suite = tls_get_cipher_suite(conn->rl.cipher_suite);
        if (suite == NULL)
                keyx = TLS_KEY_X_NULL;
        else
                keyx = suite->key_exchange;

        if (keyx == TLS_KEY_X_DH_anon &&
            tls_process_client_key_exchange_dh_anon(conn, pos, end) < 0)
                return -1;

        if (keyx != TLS_KEY_X_DH_anon &&
            tls_process_client_key_exchange_rsa(conn, pos, end) < 0)
                return -1;

        *in_len = end - in_data;

        conn->state = CERTIFICATE_VERIFY;

        return 0;
}


static int tls_process_certificate_verify(struct tlsv1_server *conn, u8 ct,
                                          const u8 *in_data, size_t *in_len)
{
        const u8 *pos, *end;
        size_t left, len;
        u8 type;
        size_t hlen, buflen;
        u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN], *hpos, *buf;
        enum { SIGN_ALG_RSA, SIGN_ALG_DSA } alg = SIGN_ALG_RSA;
        u16 slen;

        if (ct == TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
                if (conn->verify_peer) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Client did not include "
                                   "CertificateVerify");
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_UNEXPECTED_MESSAGE);
                        return -1;
                }

                return tls_process_change_cipher_spec(conn, ct, in_data,
                                                      in_len);
        }

        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; "
                           "received content type 0x%x", ct);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        pos = in_data;
        left = *in_len;

        if (left < 4) {
                wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateVerify "
                           "message (len=%lu)", (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        type = *pos++;
        len = WPA_GET_BE24(pos);
        pos += 3;
        left -= 4;

        if (len > left) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected CertificateVerify "
                           "message length (len=%lu != left=%lu)",
                           (unsigned long) len, (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        end = pos + len;

        if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
                wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake "
                           "message %d (expected CertificateVerify)", type);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateVerify");

        /*
         * struct {
         *   Signature signature;
         * } CertificateVerify;
         */

        hpos = hash;

        if (alg == SIGN_ALG_RSA) {
                hlen = MD5_MAC_LEN;
                if (conn->verify.md5_cert == NULL ||
                    crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0)
                {
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_INTERNAL_ERROR);
                        conn->verify.md5_cert = NULL;
                        crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL);
                        conn->verify.sha1_cert = NULL;
                        return -1;
                }
                hpos += MD5_MAC_LEN;
        } else
                crypto_hash_finish(conn->verify.md5_cert, NULL, NULL);

        conn->verify.md5_cert = NULL;
        hlen = SHA1_MAC_LEN;
        if (conn->verify.sha1_cert == NULL ||
            crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) {
                conn->verify.sha1_cert = NULL;
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }
        conn->verify.sha1_cert = NULL;

        if (alg == SIGN_ALG_RSA)
                hlen += MD5_MAC_LEN;

        wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen);

        if (end - pos < 2) {
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }
        slen = WPA_GET_BE16(pos);
        pos += 2;
        if (end - pos < slen) {
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
        if (conn->client_rsa_key == NULL) {
                wpa_printf(MSG_DEBUG, "TLSv1: No client public key to verify "
                           "signature");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        buflen = end - pos;
        buf = os_malloc(end - pos);
        if (crypto_public_key_decrypt_pkcs1(conn->client_rsa_key,
                                            pos, end - pos, buf, &buflen) < 0)
        {
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
                os_free(buf);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECRYPT_ERROR);
                return -1;
        }

        wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
                        buf, buflen);

        if (buflen != hlen || os_memcmp(buf, hash, buflen) != 0) {
                wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in "
                           "CertificateVerify - did not match with calculated "
                           "hash");
                os_free(buf);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECRYPT_ERROR);
                return -1;
        }

        os_free(buf);

        *in_len = end - in_data;

        conn->state = CHANGE_CIPHER_SPEC;

        return 0;
}


static int tls_process_change_cipher_spec(struct tlsv1_server *conn,
                                          u8 ct, const u8 *in_data,
                                          size_t *in_len)
{
        const u8 *pos;
        size_t left;

        if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
                           "received content type 0x%x", ct);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        pos = in_data;
        left = *in_len;

        if (left < 1) {
                wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        if (*pos != TLS_CHANGE_CIPHER_SPEC) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; "
                           "received data 0x%x", *pos);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec");
        if (tlsv1_record_change_read_cipher(&conn->rl) < 0) {
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher "
                           "for record layer");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }

        *in_len = pos + 1 - in_data;

        conn->state = CLIENT_FINISHED;

        return 0;
}


static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
                                       const u8 *in_data, size_t *in_len)
{
        const u8 *pos, *end;
        size_t left, len, hlen;
        u8 verify_data[TLS_VERIFY_DATA_LEN];
        u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN];

        if (ct != TLS_CONTENT_TYPE_HANDSHAKE) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; "
                           "received content type 0x%x", ct);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        pos = in_data;
        left = *in_len;

        if (left < 4) {
                wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for "
                           "Finished",
                           (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }

        if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) {
                wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received "
                           "type 0x%x", pos[0]);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_UNEXPECTED_MESSAGE);
                return -1;
        }

        len = WPA_GET_BE24(pos + 1);

        pos += 4;
        left -= 4;

        if (len > left) {
                wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished "
                           "(len=%lu > left=%lu)",
                           (unsigned long) len, (unsigned long) left);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }
        end = pos + len;
        if (len != TLS_VERIFY_DATA_LEN) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length "
                           "in Finished: %lu (expected %d)",
                           (unsigned long) len, TLS_VERIFY_DATA_LEN);
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECODE_ERROR);
                return -1;
        }
        wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished",
                    pos, TLS_VERIFY_DATA_LEN);

        hlen = MD5_MAC_LEN;
        if (conn->verify.md5_client == NULL ||
            crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) {
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                conn->verify.md5_client = NULL;
                crypto_hash_finish(conn->verify.sha1_client, NULL, NULL);
                conn->verify.sha1_client = NULL;
                return -1;
        }
        conn->verify.md5_client = NULL;
        hlen = SHA1_MAC_LEN;
        if (conn->verify.sha1_client == NULL ||
            crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN,
                               &hlen) < 0) {
                conn->verify.sha1_client = NULL;
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_INTERNAL_ERROR);
                return -1;
        }
        conn->verify.sha1_client = NULL;

        if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
                    "client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
                    verify_data, TLS_VERIFY_DATA_LEN)) {
                wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
                tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                   TLS_ALERT_DECRYPT_ERROR);
                return -1;
        }
        wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
                        verify_data, TLS_VERIFY_DATA_LEN);

        if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
                wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
                return -1;
        }

        wpa_printf(MSG_DEBUG, "TLSv1: Received Finished");

        *in_len = end - in_data;

        if (conn->use_session_ticket) {
                /* Abbreviated handshake using session ticket; RFC 4507 */
                wpa_printf(MSG_DEBUG, "TLSv1: Abbreviated handshake completed "
                           "successfully");
                conn->state = ESTABLISHED;
        } else {
                /* Full handshake */
                conn->state = SERVER_CHANGE_CIPHER_SPEC;
        }

        return 0;
}


int tlsv1_server_process_handshake(struct tlsv1_server *conn, u8 ct,
                                   const u8 *buf, size_t *len)
{
        if (ct == TLS_CONTENT_TYPE_ALERT) {
                if (*len < 2) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow");
                        tlsv1_server_alert(conn, TLS_ALERT_LEVEL_FATAL,
                                           TLS_ALERT_DECODE_ERROR);
                        return -1;
                }
                wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d",
                           buf[0], buf[1]);
                *len = 2;
                conn->state = FAILED;
                return -1;
        }

        switch (conn->state) {
        case CLIENT_HELLO:
                if (tls_process_client_hello(conn, ct, buf, len))
                        return -1;
                break;
        case CLIENT_CERTIFICATE:
                if (tls_process_certificate(conn, ct, buf, len))
                        return -1;
                break;
        case CLIENT_KEY_EXCHANGE:
                if (tls_process_client_key_exchange(conn, ct, buf, len))
                        return -1;
                break;
        case CERTIFICATE_VERIFY:
                if (tls_process_certificate_verify(conn, ct, buf, len))
                        return -1;
                break;
        case CHANGE_CIPHER_SPEC:
                if (tls_process_change_cipher_spec(conn, ct, buf, len))
                        return -1;
                break;
        case CLIENT_FINISHED:
                if (tls_process_client_finished(conn, ct, buf, len))
                        return -1;
                break;
        default:
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d "
                           "while processing received message",
                           conn->state);
                return -1;
        }

        if (ct == TLS_CONTENT_TYPE_HANDSHAKE)
                tls_verify_hash_add(&conn->verify, buf, *len);

        return 0;
}
